MCO-2152: MCO-2153: MCO-2154: Create MCO network policies for pods

[HarshwardhanPatil07]

- What I did
Added NetworkPolicy support for the openshift-machine-config-operator namespace to implement default-deny plus explicit allow rules for pod-networked MCO components.

Introduced new manifests:

• manifests/networkpolicy/00-default-deny.yaml
• manifests/networkpolicy/01-allow-machine-config-operator.yaml
• manifests/networkpolicy/02-allow-machine-config-controller.yaml
• manifests/networkpolicy/03-allow-machine-os-builder.yaml

- How to verify it

- Description for the changelog

Summary by CodeRabbit

• New Features

  • Operator now manages NetworkPolicies in the machine-config namespace: creates a default-deny and allow policies for operator components, conditionally adds/removes an allow policy for machine-os-builder when layered pools exist, and enforces deletion protection via a validating admission policy.

• Tests

  • Added unit and end-to-end tests validating policy creation, specs, conditional behavior, modification reversion, coexistence with user policies, and deletion blocking.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

Walkthrough

This PR adds NetworkPolicy management to the machine-config-operator controller. It wires a NetworkPolicy informer into the operator lifecycle, implements reconciliation to apply static and conditional NetworkPolicies in the machine-config namespace, adds an admission policy preventing deletion of managed policies, and includes unit and e2e tests validating behavior.

Changes

NetworkPolicy Management for Machine Config Operator

Layer / File(s)	Summary
NetworkPolicy Informer Integration pkg/operator/operator.go, cmd/machine-config-operator/start.go	Operator struct gains networkPolicyInformerSynced; New accepts NetworkPolicyInformer; informer registered with shared informers, cache sync tracked, and a "NetworkPolicies" sync step added; start command passes the namespaced informer.
NetworkPolicy Sync Logic pkg/operator/network_policy.go	Implements Operator.syncNetworkPolicies and builder helpers to server-side apply three static NetworkPolicies and conditionally apply/delete the machine-os-builder policy based on layered MachineConfigPool presence.
NetworkPolicy Unit Tests pkg/operator/network_policy_test.go	Adds unit tests that verify static policy creation, default-deny selector and types, allow-policy selectors/ports/rules, conditional creation of machine-os-builder when layered pools exist, and deletion behavior when layered pools are removed.
Admission Policy Manifests manifests/machineconfigcontroller/networkpolicy-deletion-guard-validatingadmissionpolicy.yaml, manifests/machineconfigcontroller/networkpolicy-deletion-guard-validatingadmissionpolicybinding.yaml	Adds a ValidatingAdmissionPolicy and Binding that deny DELETE requests for namespaced NetworkPolicies in the operator namespace unless the name is allowlisted.
Include Manifests in Controller Sync pkg/operator/sync.go	Adds manifest path constants and includes the new validating admission policy and binding in the lists applied by syncMachineConfigController.
End-to-end tests test/e2e-2of2/network_policy_test.go	Adds e2e tests validating managed NetworkPolicies exist and match specs, are restored after modification, deletion is blocked by admission policy, policies persist while MCO processes run, and user policies can coexist.

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 4.17% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	❓ Inconclusive	Custom check specifies Ginkgo test requirements (It blocks, BeforeEach/AfterEach, Eventually/Consistently) but the added tests use testify/standard Go testing, not Ginkgo.	Clarify whether the check applies to testify-based tests or only Ginkgo tests. If testify tests are in scope, assess against testify best practices instead.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Test files use standard Go testing framework, not Ginkgo. All test names are stable, descriptive static strings with no dynamic content (timestamps, UUIDs, pod names, node names, or IP addresses).
Microshift Test Compatibility	✅ Passed	The custom check applies only to new Ginkgo e2e tests (It/Describe/Context/When patterns). This PR adds only standard Go testing (*testing.T) tests, not Ginkgo tests, so the check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Tests added are standard Go tests (not Ginkgo), so the SNO compatibility check for Ginkgo patterns does not apply. Tests verify NetworkPolicy specs and operator reconciliation without multi-node as...
Topology-Aware Scheduling Compatibility	✅ Passed	PR introduces only NetworkPolicy management (network-layer rules) and ValidatingAdmissionPolicy, with no pod affinity, topology spread, nodeSelector, tolerations, or replica-count logic that assume...
Ote Binary Stdout Contract	✅ Passed	No process-level stdout violations found. E2E tests have no BeforeSuite/suite setup with stdout. Main process has klog properly configured to stderr via flag.Set("logtostderr", "true").
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Tests added are standard Go tests, not Ginkgo tests. They contain no IPv4-specific hardcoded addresses, parsing logic, external connectivity requirements, or network assumptions incompatible with I...
No-Weak-Crypto	✅ Passed	The PR introduces NetworkPolicy support for the MCO namespace. A comprehensive search across all 8 modified/added files found no usage of weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, B...
Container-Privileges	✅ Passed	PR adds NetworkPolicy resources and validating admission policies only—no container specs with privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, or allowPrivilegeEscalation are introduced.
No-Sensitive-Data-In-Logs	✅ Passed	No logging statements exposing sensitive data (passwords, tokens, API keys, PII, session IDs, hostnames, or customer data) found in any new/modified files.
Title check	✅ Passed	The title clearly references the three related Jira issues (MCO-2152, MCO-2153, MCO-2154) and accurately summarizes the main change: creating MCO network policies for pods.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[HarshwardhanPatil07]

/retitle (WIP) MCO-2152: Create MCO network policies for pods

[openshift-ci-robot]

@HarshwardhanPatil07: This pull request references MCO-2152 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

- What I did
Added NetworkPolicy support for the openshift-machine-config-operator namespace to implement default-deny plus explicit allow rules for pod-networked MCO components.

Introduced new manifests:

• manifests/networkpolicy/00-default-deny.yaml
• manifests/networkpolicy/01-allow-machine-config-operator.yaml
• manifests/networkpolicy/02-allow-machine-config-controller.yaml
• manifests/networkpolicy/03-allow-machine-os-builder.yaml

- How to verify it

- Description for the changelog

Summary by CodeRabbit

Release Notes

• New Features

• Implemented network policies to restrict network traffic across cluster components

• Added default-deny policy with component-specific allowlists for machine-config components (operator, controller, and OS builder)

• Network policies enforce automatic ingress/egress restrictions

• Tests

• Added comprehensive test coverage for network policy creation, validation, and enforcement

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[HarshwardhanPatil07]

/test security

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: HarshwardhanPatil07

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [HarshwardhanPatil07]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e-2of2/network_policy_test.go`:
- Around line 33-42: The helper skipIfNoNetworkPolicies currently calls t.Skip
when the NetworkPolicy list is empty, which hides regressions; change this to
make the test fail instead. In skipIfNoNetworkPolicies (function name), after
the require.NoError check, replace the t.Skip branch with an assertion that the
returned policies list is non-empty (e.g., require.Greater(t,
len(policies.Items), 0, "expected at least one NetworkPolicy in MCO namespace")
or t.Fatalf with an explanatory message) so missing managed NetworkPolicies
cause a test failure rather than being skipped.
- Around line 178-187: The test currently only asserts statuses when a condition
is present, allowing missing conditions to pass; update the loop over
co.Status.Conditions to track presence of configv1.OperatorAvailable and
configv1.OperatorDegraded (e.g., foundAvailable, foundDegraded booleans),
continue asserting their Status values as you already do for
OperatorAvailable==ConditionTrue and OperatorDegraded==ConditionFalse, and after
the loop add explicit assertions that both foundAvailable and foundDegraded are
true so missing conditions fail the test (refer to co.Status.Conditions and the
condition Type checks for configv1.OperatorAvailable and
configv1.OperatorDegraded).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5872788b-97d8-4b08-a54b-7435f9797cc1

📥 Commits

Reviewing files that changed from the base of the PR and between 7762f52 and 7de6d83.

📒 Files selected for processing (4)

• manifests/machineconfigcontroller/networkpolicy-deletion-guard-validatingadmissionpolicy.yaml
• manifests/machineconfigcontroller/networkpolicy-deletion-guard-validatingadmissionpolicybinding.yaml
• pkg/operator/sync.go
• test/e2e-2of2/network_policy_test.go

✅ Files skipped from review due to trivial changes (2)

• manifests/machineconfigcontroller/networkpolicy-deletion-guard-validatingadmissionpolicybinding.yaml
• manifests/machineconfigcontroller/networkpolicy-deletion-guard-validatingadmissionpolicy.yaml

[openshift-ci]

@HarshwardhanPatil07: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[HarshwardhanPatil07]

/retitle MCO-2152: MCO-2153: MCO-2154: Create MCO network policies for pods